News

🚨 Spain, a French supermarket chain sanctioned:
For failing to correct all the flaws identified by the pentests.

Regulator : AEPD
Source : ps-00128-2024

🔍 Background:
Between October 2022 and September 2023, the supermarket chain suffered five credential-stuffing attacks that allowed fraudulent access to 118,895 customer accounts and undue use of ‘chequeAhorro’ vouchers.
Internal pentests 2022-2023 had already reported several vulnerabilities (weak password, lack of MFA, insufficient anomaly detection), but most of the patches were not deployed or were deployed very late.

⚖️Sanction: 
The Spanish Data Protection Authority (AEPD) has therefore upheld the breach of Articles 5 -1 f, 32 and 34 RGPD, imposing a €3.2m fine and requiring the Supermarket Chain to notify all affected customers individually within one month of the decision.

💡 Operational lessons
- Credential-stuffing = your risk
AEPD considers that the compromise of accounts via reused credentials remains the responsibility of the data controller as long as it has not implemented MFA, anomaly detection and limitation of attempts.

- Pentest ‘grey box’ ≠ excuse
The channel argued that certain flaws were only visible after controls had been disabled; the Authority responds: risk demonstrated → obligation to correct.

- Double prong 5 -1 f + 32
When data is actually exposed and controls were insufficient, AEPD sanctions two cumulative articles, articles 5 and 32.

- Customer notification: not just a generic e-mail!
The content must explain: nature of the breach, categories of data, potential consequences, measures taken and to be taken, DPO contact (art. 34-2).